We throw the word risk around a lot – our audit approach is risk-based, there are risks to the achievement of objectives, we need to know the organization's risk tolerance, we have to manage the risk of the internal audit activity, there may be a risk in issuing that audit report at this time. But the thing I find fascinating is that, in spite of there being authoritative pronouncements on the subject, we often, without realizing it, do not agree on the meaning of the word.
Now, to catch anyone up who has not been following along at home, I've been going on for a little while now
about how internal audit needs to better understand the many places where we should be reaching agreement with our customers. It has to be embedded in every conversation we have. My premise: If we have agreement up front, we will have fewer challenges throughout the audit process.
But how can we have agreement with customers if we can't even agree among ourselves. And, just as we do not fully understand the full gamut of situations where we need to have the customer's agreement, we do not realize how often we are accidently disagreeing with each other because we have not done something as basic as agree on or understand the terms we use.
The one I keep stumbling across is our use and understanding of the word "risk".
Anytime I'm speaking about anything that even tangentially references concepts about risk (and we are a risk-focused profession; it comes up...a lot), I propose the following conundrum. Assume an organization has the objective "To accurately report financial statements." (We can all agree this is not perfectly phrased and a bit simplistic, but it suffices for this exercise.) Now let's ask this question: Is it correct to say that one risk to this objective is "that financial statements are inaccurately reported"?
[Cue Jeopardy theme music]
The last time I gave this quiz, 100% of respondents indicated that this was, indeed, a risk. 100% of those individuals were wrong.
[He shrinks back from the hue and cry of those who feel they are correct and he is wrong. The catcalls and boos rain down like broken glass from multiple defenestrations. An inundation of rotten tomatoes and spoiled vegetables heaps about him like leftovers from a three-week-old trash collector's strike. Half-filled beer bottles fly through the chicken wire. But he stands, resolute in the knowledge that he is correct.]
Many auditors fall into the trap of believing the opposite of an objective is a risk. It was something I had to constantly watch for from the auditors who worked for me. No matter how many times we went over it, the "anti-objective" risk would raise its ugly little head from time to time. And to throw a few bricks at my own glass house, to this day, when I am making up examples of risks during seminars, I will fall into the trap myself.
Well, I can stand here all sanctimonious and pompous, wrapped in the belief that I am correct. But, as any auditor should ask, where is my proof?
I've got some pretty good sources up my sleeve. First, COSO's updated Control Framework. "Risk: The possibility that an event will occur and adversely affect the achievement of objectives." (p. 146 – The Glossary)
"Well," you might say, "You know how those sponsoring organizations can be – always working so hard for compromise that they get some parts wrong." Not so fast, Gumball.
Source number 2 – The Standards, the IPPF, the Red Book. "Risk: The possibility of an event occurring that will have an impact on the achievement of objectives." (p. 43 – The Glossary)
So, a risk is not the opposite of an objective; a risk is an event, an occurrence, something that happens that means the objective may not go exactly as planned. In the previous example, risks might include the computer breaks, no one checks the math, "accuracy" has not been defined, the world comes to an end. None of these are necessarily well-articulated risks, but they are risks – they are events, occurrences that can impact the objective.
There are a lot of important reasons for reminding ourselves what we mean when we talk about risk (not least of which is obtaining the CRMA). But when we talk about agreement being the core to reducing the challenges within the audit process, how can we even pretend to have discussions with our customers if we do not understand what we are talking about. We want to talk to them about risk – we want to talk to them about ensuring they reach their objectives – and we don't even know what we mean when we use the word "risk".
Think of it this way – how much value is there in telling someone that the risk is that they won't meet their objectives. There is no defense (control/mitigation) to such a risk. And I'm willing to bet the auditee will not see a whole lot of value in that information. Instead, having a discussion about the things that can happen which would impact those objectives leads to a valuable conversation; it means the conversation can focus on how risks are measured, how they are defined, and how they are controlled.
I'm not trying to scare you (then again, maybe I am), but if we are going to discuss risk (and any of the other terms we throw about as if we knew what they meant – objective, mitigation, control, fill-in-an-auditing-concept here), then we better know and agree on what we are talking about before we engage our customers in conversation.
Next on the "It's All About Agreement" cavalcade, comments from a reader about The Nuclear Option. See you next week.